MAL-2026-4772

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/txdpy/MAL-2026-4772.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4772
Published
2026-05-20T17:54:34Z
Modified
2026-05-26T06:03:15.565889856Z
Summary
Malicious code in txdpy (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (767f0e720df9d2dd670fc9c607db01794649653be89daa42f01dfe34a69a8ecd)

The package exports a 发送邮件 (sendemail) function whose default sender, recipient, and SMTP auth code are hardcoded to the author's QQ account. In txdpy/发送邮件.py lines 14-17, senderemail defaults to '3215176932@qq.com', receiveremail defaults to 'xdsndy@qq.com', and password defaults to the embedded QQ SMTP authorization code. A caller invoking this documented API with the minimal signature (subject and body only) silently delivers their message content to the author's inbox via smtp.qq.com using the author's credentials — the API's advertised purpose (generic email sending) does not match its actual behavior (relaying to a fixed author-controlled mailbox). The function is re-exported from init.py, making it part of the package's public surface. Additionally, txdpy/翻译.py:18-20 ships the author's Baidu Translate API credentials (appid 20220712001270949 + secretkey) — author self-harm rather than installer harm, but corroborates a pattern of careless credential handling. A separate quality issue: pyndjs.py:74 evaluates os.popen('where node') as a function default argument, causing shell execution at import time.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2026.5"
            ],
            "sha256": "767f0e720df9d2dd670fc9c607db01794649653be89daa42f01dfe34a69a8ecd",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T17:54:34Z",
            "id": "IN-MAL-2026-003581",
            "import_time": "2026-05-26T05:50:54.073724066Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / txdpy

Package

Affected ranges

Affected versions

2026.*
2026.5

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "txdpy-2026.5-py3-none-any.whl",
            "hashes": {
                "sha256": "d15e1268b13116f914a1ce91610d8530bf1a2cac4ea364c139b5be7aba6ea920",
                "md5": "26e1296dae3ecf1d0ca83bb8dd425faf",
                "blake2b_256": "a4c00487cef669b5d71f50705b094932779228aead9662334183d583c8f4493e"
            }
        },
        {
            "filename": "txdpy-2026.5.tar.gz",
            "hashes": {
                "sha256": "f71b126a57a49ac63ee86dde08d976d659a4ddfdb00fa149a406eaeff3ae6fba",
                "md5": "355f8d80f4729bd1327b9797430bc945",
                "blake2b_256": "f2df556a3161181a4fb17421b7427a4489056d819bd11d477c3b5b3f67ab2dda"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "af4d7a0b645703f9d8a60f2363cf33d78c31e6f03348966f0b382b2320ae3af4",
            "path": "txdpy/\u53d1\u9001\u90ae\u4ef6.py",
            "tlsh": "f5219c056e9b2caf21fae187f416a404eadc10032a385664f4186e1e3f3be1722517ba"
        },
        {
            "sha256": "38d29739be980985a1d2d86945efb0d81936054d3865706adcbcb84fb8ba6094",
            "path": "txdpy/\u7ffb\u8bd1.py",
            "tlsh": "1c118c219c26600590b1d52e62d67c14d03fe5025bd86f377b5dd51b1f7315939f8a4c"
        },
        {
            "sha256": "3232898209de9a56fc49e0c1c73dc0d9f0fd920e1a3bb95505f98e924ece09e6",
            "path": "txdpy/pyndjs.py",
            "tlsh": "54c1a6057c663a2481b3ba251847090ae17d6bb388e870e9fbddc1e11f75c18427af7e"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/txdpy/MAL-2026-4772.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]